Establishing a Collector Initiated Subscription:
one. Download and install WS-Management/WINRM on client and collector computers. Configure WINRM using command "winrm quickconfig". Event Viewer will be appended with a Microsoft-Windows-Forwarding/Operational log.
2. Configure WECUTIL on collector computer using command "WECutil QC".
3. Import subscription using command 'WECUTIL cs sub_CI_Pull0.xml' on the collector computer.
NOTE: Modify sub_CI_Pull0.xml before importing it. I used a domain account with administrative privilages. The Event Selection xpath syntax is sensitive. I was unable to create a query for the Security log. (Security Log Permissions)
4. Run eventvwr.msc on the collector computer. Right click on your subscription and view Runtime Status. Specified clients have to display a green,
office Enterprise 2007 key, Active status. You will see events appearing in the Windows LogsForwarded Events log shortly.
Creating a Source Initiated Subscription:
Source Initiated subscription is the preferred way of forwarding events as it is much easier deployed via Group Policy.
Repeat above steps one through 4,
buy microsoft office 2007 Standard, replacing sub_CI_Pull0.xml in step 3 with sub_SI0.xml.
The extra step to perform on XP/2003 clients is to tattoo the registry at:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows EventLogEventForwardingSubscriptionManager
Type: REG_SZ
Name: 1
Data: Server=collector.domain.com (FQDN of your collector,
microsoft office 2010 Professional product key, HTTP transport only. A valid URI is required for HTTPS,
microsoft office pro, e.g. "Server=https://<FQDN>/wsman/SubscriptionManager/WEC")
and then restart the WINRM service on the client. These extra steps should produce event 104 in your client's Windows LogsForwarded Events log with the message: "The forwarder has successfully connected to the subscription manager at address <FQDN>.",
cheap microsoft windows 7 64bit, followed by event 100 with the message: "The subscription <sub_name> is created successfully."
WINRM notes: WINRM configuration has not been altered from the default. It seems that setting TrustedHosts variable is not necessary (winrm set winrm/config/client @TrustedHosts="wildcard_machine_name_here")
EventCollector notes: The Create Subscription GUI did not work for me at creating a collector initiated subscription. For some reason I started getting an Access Denied error with this set up and I had to either: change the User Account in Advanced Subscription Settings from Machine Account to a Specific User account OR restart the WINRM service on the client.
Please post comments and ideas you have. I am interested in how far we can go with this XP<-->2008 collector setup.
Reference Links:
Reference Posts:
Attachments:
sub_CI_Pull0.xml (1.30 KB) sub_SI0.xml (one.46 KB)
cheap microsoft windows 7 64bit Syncio Blog - Serv
Linear Mode
